Privacy Policy

PRIVACY NOTICE

Villakola Sdn Bhd (‘the Company’) and its affiliates are committed to complying with the Personal Data Protection Act 2010 of Malaysia (‘PDPA’). This Privacy Notice explains:

  • Type of Personal Data to be collected and the manner of collecting.

  • How the collected Personal Data is being used.

  • The parties to whom the collected Personal Data will be disclosed.

  • The choices the Company offers, including how to access and update your personal data.

  • Your rights as a data subject.

The requirements of the Company under the PDPA are as follows:

  • Develop and implement policies and protocols for the Company to comply with and fulfill the requirements set forth under the PDPA.

  • Develop a set of protocols and procedures for receiving and responding to complaints that may arise with respect to the application of the PDPA.

  • Communicate with its employees about this Privacy Notice.

  • Make information available on request about this Privacy Notice and the complaint process referred to above.

  • Notify the Personal Data Protection Commissioner (“Commissioner”) of any occurrence of a data breach.

The purpose of implementing this Privacy Notice and certain personal data protection internal practices is to ensure that the requirements under the PDPA are fulfilled.

By using the Company’s services and/or registering an account on the Company’s Platform or website, you hereby agree, acknowledge, and accept the practices, policies, and protocols outlined in this Privacy Notice, and you hereby consent to the Company collecting, using, disclosing, and/or processing your personal data subject to the terms herein.

1. PERSONAL DATA TO BE COLLECTED

1.1 The Company will/may collect the following Personal Data from you:

  • Personal data information to establish your identity and background, including your full name, gender, passport or identity card number, nationality, religion, and marital status.

  • Contact information such as billing address, residential address, mobile phone number, and email address.

  • Payment information such as debit or credit card information, including the name of the cardholder, or bank account details.

  • Sensitive information such as racial or ethnic origin, beliefs, health, and criminal background.

  • Marketing and communications data, such as your preferences in receiving marketing from us and third parties, your communication preferences, and the history of communications with us, our service providers, and other third parties.

  • Any other information about you when you signed up to use the Company’s Services or Platform, and when you use the Services or Platform, as well as information related to how you use the Company’s services or platform.

1.2 You hereby undertake that all information submitted to us shall not be incorrect, inaccurate, or misleading, and you shall inform the Company of any unintended inaccuracies or updates to such information. The Company may require, and you shall cooperate to provide, further documentation to the Company for the purpose of verifying the information provided by you.

1.3 By signing up for an account on the Company’s platform or website, you hereby consent to the Company having access to information about you which you have voluntarily provided therein, and the Company will use and manage such information in accordance with this Privacy Notice. Should you no longer consent to the Company using and managing such information, you may notify the Company of your intention to withdraw consent by serving a written notice by way of electronic means to the Company’s Data Protection Officer (“DPO”) at dpo@villaloka.com.my.

2. SOURCE OF PERSONAL DATA COLLECTION

2.1 The Company will/may collect personal data about you:

  • When you register and/or use the Company’s services or platform, or open an account with the Company.

  • When you submit any form, including, but not limited to, application forms or other forms relating to any of the Company's products and services, whether online or by way of a physical form.

  • When you enter into any agreement or provide other documentation or information in respect of your interactions with the Company, or when you use the Company’s products and services.

  • When you interact with the Company, such as via telephone calls (which may be recorded, and you will be notified of the same before the calls start), letters, fax, face-to-face meetings, social media platforms, and emails, including when you interact with customer service agents.

  • When you use the Company’s electronic services or interact with the Company via the Company’s application, or use services on the platform/website. This includes, without limitation, through cookies which the Company may deploy when you interact with the said application or website.

  • When you grant permissions on your device to share information with the Company’s application or platform.

  • When you link your account registered on the Company’s platform/website with your social media or other external account, or use other social media features, in accordance with the provider’s policies.

  • When you carry out transactions through the Company’s services.

  • When you provide feedback or complaints.

  • When you register for a contest; and/or

  • When you submit your personal data to the Company for any other reasons.

The Company may collect personal data about you via affiliates, third parties, and from other sources, including without limitation business partners (such as logistics or payment service providers), credit bureaus or scoring agencies, marketing services providers or partners, referral or loyalty programs, other users of the Company’s services, or publicly available or governmental sources of data.

In some situations, you may provide personal data of other individuals to the Company (such as your family members or friends or persons in your contact list). If you provide their personal data, you represent and warrant that you have obtained their consent for their personal data to be processed in accordance with this Privacy Notice.

3. REASON / PURPOSE OF PERSONAL DATA COLLECTION

The Personal Data collected or received from you, whether with your consent or not, will be used by the Company in accordance with applicable laws and regulations for the following purposes:

  • To verify your financial standing.

  • To manage and maintain your accounts with us.

  • To better manage our business and your relationship with us.

  • To market and to provide you with information on selected third-party products, services, offers, and/or contests which may be of interest to you.

  • To improve our products and services and to test, research, and analyze how customers use the products and services.

  • To deliver any documents to your personal address.

  • To resolve complaints or any potential issues arising.

4. DISCLOSURE OF PERSONAL DATA

As a part of providing services to you and the management or operation of the same, the Company may be required or need to disclose information to the following parties:

  • Relevant governmental or quasi-governmental and regulatory authorities in Malaysia that have a presence, require approvals, or are required to receive such information.

  • Third parties whenever required by law or for legal purposes.

  • Auditors, lawyers, consultants, insurers, advisers, third-party service providers, or legal referral guides who are under a duty of confidentiality to us.

  • All other persons or bodies who provide us with services necessary and/or incidental to our business.

The Company may process your Personal Data, including contacting you for the purpose(s) stated herein, via telephone calls, text messaging, emails, post, or by whatsoever form of available modes of communication.

5. PROCESSING PERSONAL DATA OUTSIDE MALAYSIA

5.1 The Company primarily processes your personal data and sensitive personal data within the jurisdiction of Malaysia. However, in certain cases, your personal data may be transferred, disclosed, and/or disseminated to any company, including an affiliate or partner of the Company, which may involve sending your data to a location outside Malaysia. The Company will ensure that any other country processing your personal data has equivalent and enforceable data protection laws and regulations which are substantially the same as the PDPA, or at the very least, provide an equivalent level of protection as the PDPA encompasses.

6. RETENTION OF PERSONAL DATA

6.1 The Company retains Personal Data for as long as necessary to fulfill the purposes listed in paragraph 3, or as required and permitted by Malaysia’s laws and regulations.

However, the Company will cease to retain such Personal Data or any document containing such Personal Data, or remove the means by which the Personal Data can be associated with you through anonymization, as soon as it is reasonable for the Company to assume that the purpose for which the Personal Data was collected is no longer being served by the retention of such Personal Data and/or retention is no longer necessary for legal or business purposes.

7. SECURITY MEASURES

7.1 The Company endeavors to take all reasonable steps and hereby undertakes to secure and protect your personal data by implementing appropriate administrative and security safeguards and procedures in accordance with applicable laws and regulations to prevent unauthorized or unlawful processing of personal data and accidental loss or damage to personal data.

7.2 In order to ensure that your personal data is safeguarded from any unauthorized use, collection, disclosure, or unlawful use, the Company will be adopting and/or implementing the following appropriate measures:

  • Keeping the Company’s software and operating systems up-to-date with the latest security patches to address vulnerabilities.

  • Installing firewalls on every office computer.

  • Maintaining or securing backups of personal data offsite.

  • Implementing a clear desk policy.

  • Restricting access to personal data to any third-party individuals without authorization or without your consent; and

  • From time to time implementing any other latest security measures as required or permitted by Malaysian laws and regulations.

7.3 While the Company may have adopted and/or implemented the appropriate measures as stipulated in paragraph 7.2 above to secure any personal data given, the Company shall not be held liable or accountable for any unauthorized or unintentional access that is too remote or beyond the Company’s control. In addition, the Company’s software and operating systems may still be subject to vulnerabilities, particularly security breaches, and the Company shall not be held responsible for vulnerabilities due to viruses, trojan horses, worms, and unauthorized hackers.

8. RIGHTS AS DATA SUBJECT

We recognize your rights to access your own personal data that was given. We shall comply with your demand for the purpose of access to your own personal data being collected, stored, and processed by us.

In any case, if you consider that certain information about you is inaccurate or outdated, you may request rectification of such data from us. You also have the right to request the blocking or erasure of data which has been processed unlawfully.

We also recognize your rights to data portability, and you may request the transmission of your personal data to any other third-party data controller of your choice, provided always that a written notice by way of electronic means has been served to the Company. Your written notice shall specify accurately the details of the third-party data controller, including the purpose and particulars of your personal data to be transmitted. Upon successful transmission of your personal data to a third-party data controller, we shall not be responsible or liable for any breach of your personal data by such third-party data controller.

9. APPOINTMENT OF DATA PROTECTION OFFICER

9.1 We will appoint a senior staff member as our DPO for the primary purpose of ensuring that the Company is at all times complying with the PDPA and any recent changes and amendments thereto.

The responsibilities of the appointed DPO are as follows:

  • From time to time providing advice and monitoring our employees regarding related data protection laws and regulations.

  • Developing and implementing data protection policies and protocols within the Company and providing standard training to our employees in handling personal data or any sensitive data.

  • Keeping the Company and its employees updated in relation to any amendments made to the PDPA and further improvising data protection policies and protocols within the Company.

  • Handling and investigating any complaints from data subjects in relation to personal data breaches.

  • Acting as a point of contact facilitating communications between the Company and its data subjects.

  • Assisting with the preparation, processing, and submission of reports and any other documents required by the Commissioner in relation to personal data breaches.

  • Acting as a point of contact facilitating communications between the Company and the Commissioner.

9.2 We will ensure that the appointed DPO is well-experienced and knowledgeable in the PDPA and has a great understanding of the business nature of the Company. The appointed DPO shall always maintain integrity and act professionally in ensuring compliance with the PDPA by the Company.

10. MANDATORY NOTIFICATION OF DATA BREACH

We hereby undertake that in the event there is a personal data breach, or your personal data was published and leaked unintentionally and such mistake was caused by us, we shall make an assessment of the risk of such data breach before notifying the Commissioner.

If the Company has reasonable grounds to believe such data breach causes or is likely to cause any significant harm to its data subjects, we shall by all necessary means notify the data breach to the Commissioner without delay and within three (3) days from the date of occurrence of such data breach.

In addition to the duty to notify the Commissioner, the Company shall within seven (7) days from the date of notifying the Commissioner of the data breach, inform you and/or any data subjects of such breach via telephone calls, text messaging, emails, post, or by whatsoever form of available modes of communication based on the personal data provided to the Company.

Should you discover or suspect any breach of personal data which is not known to the Company, you shall promptly notify us by contacting the Company’s appointed DPO at dpo@villaloka.com.my for onward investigation, and upon verification of such breach, the Company shall notify the Commissioner of the same without unnecessary delay.

11. UPDATES TO THIS PRIVACY NOTICE

11.1 The Company reserves the right to amend, modify, vary, or update this Privacy Notice at its sole discretion from time to time, as and when the need arises. The most recently published Privacy Notice shall prevail over any of its previous versions. You are encouraged to check this Privacy Notice from time to time to stay informed of any changes. You agree to adhere to the terms of the Privacy Notice, including any variations therein.

By submitting your Personal Data to us, you hereby acknowledge that:

  • You have read and understood this Privacy Notice and agree and consent to the use, processing, and transfer of personal data as set out herein.

  • All information and representations provided are true and correct to the best of your knowledge, and you have not knowingly omitted any relevant information which may have an adverse effect.